Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

SternisheFan writes "PCMag: It turns out that the "Dirty USSD" exploit demonstrated yesterday on Samsung devices affects all Android devices running anything below Android 4.1.x aka Jelly Bean.
Just to recap, the exploit (disclosed by researcher Ravi Borgaonkar at Ekoparty in Buenes Aires) uses the Android dialer to automatically "call" a USSD code (no user permission required!); the code can be spread through legit-looking URL, an NFC attack, or a malicious QR code. The most threatening USSD code, a factory reset, was specific to Samsung TouchWiz phones and has already been disabled by Samsung. However, there are many other USSD codes that work on different Android devices, though viaForensics's Ted Eull said they aren't so easy to find.
At first we thought the vulnerability involved a combination of the Android dialer and the stock browser, but turns out it has nothing to do with the browser. Mobile security consultancy viaForensics was able to replicate the exploit with Firefox and Dolphin browsers, and concluded that the problem is just the Android dialler. Google has already released an over-the-air (OTA) patch for its own, unlocked Galaxy Nexus devices, which should now all be running at least Android 4.1.1 by now. Mitigation: If you bought your device from a carrier, you are probably still vulnerable to this exploit. Unfortunately there's not much you can do since the only entity that can update your OS is your carrier, which isn't exactly known for timely patching (hello Android fragmentation). But all is not lost!...

Read the linked article at PCMag.com on how to protect your Android phone from this exploit."Link to Original Source